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DETAILED ACTION 

Response to Amendment 
Applicant has amended claims 1-10, 14-16, and 18, and therefore claims 1-19 are now 
pending. 

Specification 

The proposed specification corrections received on November 15, 2002 have been 
accepted. 

Response to Arguments 
L Applicant's arguments filed November 15, 2002 have been fully considered but they are 
not persuasive. The applicant argues that Levergood et al. does not disclose (i) storing status data 
indicating an identifier issued to an authenticated user's client terminal as being a validating 
identifier, and (ii) validating document requests by a resource server by checking the status data. 
However it is the examiner's position that Levergood et al. teaches (i) storing status data 
indicating an identifier issued to an authenticated user's client terminal as being a validating 
identifier (column 3, lines 50-55 and 66-67 through column 4, lines 1-4 and column 8, lines 1-3 
and 9-12 and column 115, lines 15-21), and (ii) vahdating document requests by a resource 
server by checking the status data (column 6, lines 58-65 and column 7, lines 51-53 and 63-67 
and Fig.2B) and therefore independent claims 1 and 9 are rejected as well as dependent claims 2- 
8 and 10-19. 
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Levergood et al. discloses, '...SID comprises a compact ASCII string that encodes a user 
identifier. . . an expiration time. . .The content server logs the GET request in the transaction 
database by recording the tagged URL, the client IP address, and the current time. ' The 
examiner's position is that the expiration time within the SED is a determinant of whether the 
identifier is valid. And the expiration time is stored within the transaction database. Therefore the 
stored status data (expiration time) indicates the validity of the identifier. Levergood et al. also 
teaches that ' . . .a valid SID allows the client to access all controlled files within a protection 
domain without requiring further authorization. A protection domain is. . .a collection of 
controlled files. . . if the relative link points to a controlled page in a different protection domain, 
the SID is no longer valid. . . ' The examiner's position is that a collection of controlled files is a 
form of stored status data, and this determines the extent of the identifiers validity. Therefore the 
identifier is not valid when attempting to access files outside of the collection (stored status 
data). 

Levergood et al. discloses, 'Upon receiving the GET request, the authentication server 
queries an account database to determine whether the user is authorized to access the requested 
document. A preferred account database may contain a user profile which includes information 
for identifying purposes, such as client IP address and password, . . . '. The examiner's position is 
that upon a GET request (document request) the account database (status data) is queried to 
determine whether the user is authorized to make the request (the request is valid). 
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Claim Rejections - 35 USC § 102 

1. The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another who 
has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention 
thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AIPA) do not apply to the examination of this application as the application being examined 
was not (1) filed on or after November 29, 2000, or (2) voluntarily published under 35 U.S.C. 
122(b). Therefore, this appHcation is examined under 35 U.S.C. 102(e) prior to the amendment 
by the AIPA (pre-AIPA 35 U.S.C. 102(e)). 

2. Claims 1, 3, 4, 8, 9, 10, 11, 13, 15, 16, 17, 18, and 19 are rejected under 35 U.S.C. 102(e) 
as being unpatentable by US Patent No. 5,708,780 to Levergood et al. 

Regarding claim 1, Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to a document stored on a resource server, said 
method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); receiving authentication data for a user from 
a client terminal of the user, and validating said authentication data by reference to said stored 
authentication details (column 3, lines 25-26 and column 6, lines 58-60); issuing an identifier for 
the user's client terminal to said terminal for storage thereon (column 3, lines 17-20), the 
identifier being transmitted in such a manner that the identifier is retransmitted by said user's 
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client terminal with document requests directed at said resource server (column 3, lines 12-17); 
storing status data indicating said identifier to be a validated identifier of a terminal of a currently 
authenticated user (column 3, lines 50-55 and 66-67 through column 4, lines 1-4 and column 8, 
lines 1-3 and 9-12 and column 115, lines 15-21), in response to the receipt and validation of the 
authentication data; and enabling said resource server to validate a request for said document 
from the user's client terminal, which request includes said identifier, by checking said status 
data on receipt of said document request (column 6, lines 58-65 and column 7, lines 51-53 and 
63-67 and Fig.2B). 

Referring to claim 3, Levergood et al. teaches a method according to claim 1, wherein 
said authentication step comprises receiving said identifier from said user's client terminal with 
said authentication data (column 3, lines 44-47). 

Regarding claim 4, Levergood et al teaches a method according to claim 3, wherein a 
new identifier is issued to said user's cUent terminal if said authentication data is invalid (column 
5, Unes 46-49). 

Referring to claim 8, Levergood et al. teaches a method according to claim 1, comprising 
authenticating said user for access to a plurality of Web servers located in the same Internet 
domain (column 3, Unes 66-67); and enabling each of said Web servers to validate document 
requests from the user's client terminal, which requests include said identifier (column 3, lines 
44-45), by checking said status data on receipt of a document request (column 6, Hnes 58-60). 

Regarding claim 9, Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to a document stored on a resource server, said 
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method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); performing remote authentication of a user 
by reference to said stored authentication details (column 3, lines 25-26 and column 6, lines 58- 
65 and column 7, lines 51-53 and 63-67 and Fig.2B) and during said remote authentication step 
generating status data, distinguishing said user from other users which are not currently 
authenticated (column 6, lines 61-63), and a secret encryption key shared with said user (column 
5, lines 61-65); storing said status data in storage means accessible to said plurality of resource 
servers to check an authentication status of said user by using an identifier for the user's client 
terminal received in a service request (column 3, lines 13-16 and column 6, lines 58-65 and 
column 7, lines 51-53 and 63-67 and Fig.2B); and storing said shared secret key in a data store 
accessible by at least one of said resource servers for use during communications with said user 
(column 5, lines 61-65). 

Referring to claim 10, Levergood et al. teaches a method according to claim 9, wherein 
said remote authenticating step comprises issuing a challenge to the user's client terminal, 
receiving a response to said challenge, and verifying said response (column 6, lines 45-49 and 
58-60). 

Referring to claim 11, Levergood et al, teaches a method according to claim 9, further 
comprising updating said status data for an authenticated user following said storing step 
(column 7, lines 3 1-34 and 63-64). 

Regarding claim 13, Levergood et al. teaches a method according to claim 11, wherein 
said updating step is performed in response to access by one of said resource servers to said 
status data (column 8, lines 52-55). 
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Regarding claim 15, Levergood et al. teaches a method according to claim 9, wherein 
said identifier is an IP address of the user's client terminal (column 1, lines 39-41). 

Referring to claim 16, Levergood et al. teaches a method according to claim 9, wherein 
said authentication step comprises issuing said identifier to the user's client terminal (column 3, 
lines 30-32). 

Regarding claim 17, Levergood et al. teaches a method according to claim 9, wherein 
said status data is stored in a data store which said resource servers are each able to access 
(column 6, lines 61-63 and column 7, lines 31-34). 

Referring to claim 18, Levergood et al. teaches a method according to claim 9, wherein 
said authentication details include data identifying the rights of access of individual users to one 
or more of said resource servers (column 3, lines 50-52). 

Regarding claim 19, Levergood et al. teaches an authenticating server system adapted to 
perform the method of claim 1 (column 5, lines 48-49 and column 6, lines 58-60). 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentabihty shall not be negatived by the 
manner in which the invention was made. 

4. Claim 2 is rejected under 35 U.S.C. 103(a) as being unpatentable over US. Patent No. 
5,708,780 to Levergood et al. in view of Kirsch. 
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Regarding claim 2, Levergood et ai. teaches a method according to claim 1, wherein said 
identifier is transmitted to said user's client terminal (column 3, lines 30-32). 

Levergood et al. does not teach the transmission of the identifier in a cookie. Kirsch 
teaches that said identifier is transmitted in a cookie to said user's client terminal (column 3, 
lines 14-16 and column 13, lines 1 1-13). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to further modify the internet server 
access control and monitoring system of Levergood et al. by transmitting the identifier in a 
cookie because it is a more secure manner of storage and transport of identification data. 
5. Claims 5, 6, 7, 12, and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
US Patent No. 5,708,780 to Levergood et al in view of See et al. 

Regarding claim 5, Levergood et al. teaches of an identifier (column 1, lines 39-41), and 
the reception of an invalid authenticator from said user's client terminal (column 7, lines 1 3-14). 

Levergood et al. does not teach that the identifier contains the number of times an invalid 
authenticator was received. See et al. teaches said identifier comprises data indicating the 
number of times an invalid authenticator has been received from said user's client terminal 
(column 3, lines 23-25). Therefore, it would have been obvious to one having ordinary skill in 
the art at the time the invention was made to further modify the internet server access control and 
monitoring system of Levergood et al. by having the identifier contain the number of times an 
invalid authenticator was received because a user can be denied access if they submit multiple 
invalid authenticators thus providing the system with added security and access control. 
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Referring to claim 6, Levergood et al. teaches of an identifier (column 1, lines 39-41), 
and the reception of an invalid authenticator from said user's client terminal (column 7, lines 1 3- 
14). 

Levergood et al. does not teach that the system will not issue identifiers to the user if an 
identifier received from that user shows that a predetermined number of invalid authenticators 
have been received from the user. See et al. teaches said method comprising issuing no further 
identifier to said user's chent terminal if an identifier received from said user's client terminal 
indicates that a predetermined number of invalid authenticators have been received from said 
user's client terminal (column 6, lines 23-26). Therefore, it would have been obvious to one 
having ordinary skill in the art at the time the invention was made to further modify the internet 
server access control and monitoring system of Levergood et al. by not issuing identifiers to the 
user if an identifier received from that user shows that a predetermined number of invalid 
authenticators have been received from the user because this provides the system with added 
security and access control by not allowing unauthorized users access to server information. 

Regarding claim 7, Levergood et al. teaches of an identifier (column 1, lines 39-41). 

Levergood et al. does not teach of timing out of an identifier. See et al. teaches of timing 
out of said identifier of a terminal of a currently authenticated user if no document request is 
received from said user's cUent terminal for a predetermined period (column 7, lines 32-36). 
Therefore, it would have been obvious to one having ordinary skill in the art at the time the 
invention was made to further modify the internet server access control and monitoring system of 
Levergood et al. by timing out an identifier because if a user were to forget to logout of a session 
another could use that workstation to access information that they are not authorized to view and 
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the timing out of the identifier lessens the chance of this happening therefore increasing the 
security of the system. 

Referring to claim 12, Levergood et al. teaches of an updating step (column 7, lines 3 1-34 
and 63-64). 

Levergood et al. does not teach of the updating step being performed because of a time- 
out. See et al. teaches said updating step is performed in response to a time-out associated with 
said status data (column 7, lines 32-36 and lines 37-39). Therefore, it would have been obvious 
to one having ordinary skill in the art at the time the invention was made to further modify the 
internet server access control and monitoring system of Levergood et al. by performing the 
updating step because of a time-out because this will give the system up-to-date information on 
the state of the workstation. 

Referring to claim 14, Levergood et al. teaches a method according to claim 12, wherein 
said updating step is performed in response to a request by the user's client terminal (column 4, 
lines 1-4). 

Conclusion 

6. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

The following patents are cited to further show the state of the art with respect to server 
access control in general: 

US Pat No 5,506,961 to Carlson et al. 
US Pat No 6,377,994 to Auk et al. 
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US Pat No 5,812,776 to Gifford. 
7. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS fi-om the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to April L Baugh whose telephone number is 703-305-53 17. The 
examiner can normally be reached on Monday-Friday 7:00am-3 :30pm. 

If attempts to reach the examiner by telephone are unsuccessfijl, the examiner's 
supervisor, David A Wiley can be reached on 703-308-5221 . The fax phone numbers for the 
organization where this application or proceeding is assigned are 703-746-9149 for regular 
communications and 703-746-9149 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 
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